Bulletproof TLS Newsletter #72
Cross-signature will keep Let’s Encrypt compatible with old Android
5 Jan 2021
Author: Hanno Böck

This issue was distributed to 56,330 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Cross-signature will keep Let’s Encrypt compatible with old Android
  2. Short news

Cross-signature will keep Let’s Encrypt compatible with old Android

The Let’s Encrypt certificate authority is facing a challenging situation with its upcoming planned certificate switch.

Let’s Encrypt originally started with an intermediate certificate that was cross-signed by a root certificate owned by the IdenTrust certificate authority, but this root certificate, called DST Root CA X3, will expire in September 2021.

Let’s Encrypt has its own root certificate (called ISRG Root X1) and can issue its own intermediates. But given that the ISRG root certificate is newer, it isn’t as widely preinstalled on devices and operating systems. In particular, older Android versions—which are in widespread use—do not have it preinstalled.

To circumvent these problems, Let’s Encrypt now intends to get a new cross-signed intermediate from IdenTrust’s expiring root certificate. This is unusual, as the new intermediate would be valid longer than the root certificate issuing it. However, this still guarantees compatibility because in Android the certificate validation is implemented in a way that doesn’t check the expiration date of the preinstalled root certificates.

The new intermediate will not directly sign end-entity certificates. Instead, it will indirectly sign the current Let’s Encrypt intermediate certificate, R3. This ensures that clients that know the Let’s Encrypt ISRG root certificate and that check the expiration dates of root certificates will still accept the certificate chain. The downside of this approach is that the chain will contain two certificates, creating additional traffic overhead.

Let’s Encrypt plans to offer alternative certificate chains so that clients can choose between a smaller chain and the longer chain that provides compatibility with older Android devices.

Short news